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Abstract 

We propose a quantum authentication protocol that is robust against 
the theft of secret keys. In the protocol, disposable quantum pass- 
words prevent impersonation attacks with stolen secret keys. The 
protocol also prevents the leakage of secret information of a certifica- 
tion agent. 



1 hot t a@ tuhcp . phys . tohoku .ac.jp 
2 ozawa@math. cm. is. nogoya-u.ac.jp 



1 Introduction 



Secure authentication plays an important role in modern society, sup- 
porting various types of transactions. Recently, there has been a surge in 
crimes involving skimming passwords in smart cards. In addition, computer 
viruses and criminals have led to authentication systems leaking customer 
passwords from certification agents which should be kept secret under normal 
circumstances. These issues expose the fragility of classical authentication 
methods. Classical authentication is performed essentially by cross-checking 
classical secret information composed of alphanumeric characters and shared 
by two parties to identify each other. Although improved methods have been 
developed which apply biometrics including fingerprints and iris codes, these 
cannot stop skimming at a fundamental level. The root of the problem is 
that there exists no principle to prohibit the cloning of classical information. 

Meanwhile, quantum authentication is a possible way to assure such 
safety by employing fundamental physics principles. Under the no-cloning 
theorem [TJ of quantum information, there exists no physical process to per- 
fectly copy quantum states non-orthogonal to each other. Hence, by encoding 
secret information into non-orthogonal quantum states, it is possible to pre- 
vent perfect skimming. It is also known from the uncertainty principle [2] 
that measurements for eavesdropping by an adversary can be detected by 
checking the change of quantum states. 

Several quantum protocols for identification have been proposed. Those 
methods can be classified into two basic classes of method. In the first 
method, common secret keys are generated as classical information composed 
of alphanumeric characters [3]-[9]. In identification processes, shared classical 
information is converted into quantum information and sent from A, who 
is a user, to B, who is a certification agent. In the second method |10j- 
|12j . secret keys are shared as quantum information from the start. For 
example, A stores the information in a specific portable device, a quantum 
smart card, which is slotted into the quantum authentication machines of 
B. Though these quantum protocols have advantages over classical methods, 
several unsatisfactory aspects remain. For example, in the first method, clone 
leakage of classical secret keys from B cannot be prohibited in principle. For 
the second method, impersonation cannot be prohibited when A's quantum 
smart card is stolen. 
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In this paper, we propose a quantum protocol in which A can require B 
to identify herself under high security, overcoming the above disadvantages 
by using Bell states and one-time-pad passwords together. A's qubits of 
shared Bell pairs are stored in a quantum smart card. The password that 
A determines is memorized only by A and is not known by B or others. 
The advantages of our protocol are the following. (I) Even if A's quantum 
smart card is stolen by an adversary E, E cannot impersonate A without 
knowing her password. (II) No available information of the password is 
contained in the stolen card. (Ill) B does not keep any information about 
A's passwords, thereby avoiding the risk of clone-leakage from _B's storage 
by E. (IV) E cannot make perfect copies of the passwords by eavesdropping 
on quantum channels. Moreover, by hiding quantum-mechanically encoded 
passwords behind many decoy qubits when sending to B, a high rate of 
eavesdropping detection can be achieved. (V) In identification tests of A by 
B, entanglement between qubits of shared Bell pairs and qubits of passwords 
is not generated. Therefore, B can use A's quantum-password qubits once 
and then throw them away. Hence, B must resend to A only half of the 
qubits of the shared Bell pairs. 

This paper is organized as follows. In section 2, typical protocols of 
quantum authentication proposed to date are briefly reviewed. In section 3, 
we propose a simplified protocol with quantum passwords by which we will 
explain the basic ideas of our full protocol. In section 4, security analysis 
is given for the simplified protocol. In section 5, an improved protocol with 
high security is proposed by extending the simplified protocol in section 3. 



2 Protocols proposed to date 

In this section, we characterize authentication by the following, (a) There 
exist two parties A and B. (b) The purpose of authentication is that B 
identifies A with high success probability, (c) A and B have common secret 
keys that may be classical or quantum, (d) Authentication protocol are 
composed of the following phases. (d,i) Generation of secret keys. (d,ii) A 
and B work upon those secret keys by local operations and individually store 
them. (d,iii) In authentication, A and B are able to send their secret keys 
and other information using classical and quantum communication. (d,iv) 
B can check whether a user communicating with B is a legitimate person, 
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that is A, using locally accessible information. If something is wrong with 
this check, the process stops. (d,v) After B recognizes A, they are able to 
perform local operations and exchange information by classical and quantum 
communication. After that, the setup of (d,ii) is reproduced. 

If A also wants to identify B, the above protocol applies with exchanged 
roles. The protocol is called quantum when it requires quantum informa- 
tion and quantum media. In the following, we briefly review some proposed 
protocols. 

Classical authentication: In (c) above, secret keys can be composed of 
bit numbers. In (d,i), A and B meet and share a sequence of numbers. In 
(d,ii), they individually store the numbers without revealing them to any 
third party. For example, A memorizes the secret key and B stores the key 
in an electronic database. In (d,iii), A encodes the memorized information by 
classical ciphers and sends it to B. B decodes the information sent from A. 
In (d,iv), B compares the decoded result with her sequence of secret numbers. 
If the decoded information is consistent with the numbers, B recognizes A. 
If not, B stops the process. In this protocol, there is no need for phase (d,v) 
because B can discard the information sent from A. It is well known that 
this protocol cannot eliminate the danger of undetected leakage by cloning 
the classical information. 

Barnum 1 : Barnum [10] proposed two quantum protocols. The first 
method uses a sequence of qubit pairs in a fixed Bell state as secret keys 
of phase (c). In (d,i), A and B each share half of the Bell pairs. In (d,ii), 
A stores her qubit pairs in a quantum smart card, while B keeps hers in a 
quantum storage device. In (d,iii), A sends the quantum states stored in the 
smart card to B through a quantum channel. In (d,iv), B performs a Bell 
measurement of the qubits sent from A and the qubits stored in 5's storage 
device. From the measurement results, B verifies whether the two qubit 
states in the sequence are an original Bell state. In general, entanglement 
states such as Bell states exhibit purity properties only when all the entangled 
subsystems are gathered. A lack of some entangled subsystems leads to mixed 
states. If A is a legitimate person, the two qubits measured by B should be 
in a pure Bell state to give an acceptable result. If an adversary E attempts 
to impersonate A, qubits sent from E cannot reproduce pure states with the 
qubits stored in f?'s storage device. Thus the Bell measurement by B detects 
inevitable errors for £"s qubits. In (d,v), after B recognizes A correctly, B 
resends half of the qubits of the Bell pairs in the right state to A. A then 
stores them again in her smart card. In this protocol, there is no danger 
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of clone leakage of A's secret information from B, because S's contracted 
quantum state of qubits is the maximal entropy state. This is a remarkable 
advantage over classical protocols. However, if A's smart card is stolen by 
E, E is able to impersonate A easily and the protocol becomes insecure. 

Barnum 2: The second protocol proposed by Barnum [TO] uses catalyst 
states. First, A and B share an entangled state of two qubits. We 
consider another state \<p 2 ) of two qubits and assume that \<fi 2 ) is a state which 
is never converted from by local operations and classical communication 
(LOCC). However, it is assumed to be possible that if A and B also share 
a certain entangled state \x), called a catalyst state, A and B are able to 
transform into \<f> 2 ) by LOCC. Under the transformation, \x) remains 
unchanged. An explicit setting of 1^), \(f> 2 ) and |%) can be seen in a standard 
textbook |13j . Using a notion of catalyst states, Barnum proposed a quantum 
authentication protocol as follows. In (d,i), A and B share a sequence of 
qubit pairs in a catalyst state |x). In (d,ii), A stores half of the qubits in a 
quantum smart card and B keeps the other half in a quantum storage device. 
In (d,iii), B generates a sequence of qubit pairs in and sends half of the 
pairs to A. In this step, A and B share a sequence of four-qubit composite 
systems in a state ® \x)- They transform <g> \x) into \(f> 2 ) <g> \x) by 
LOCC. Then, A resends half of the qubit pairs in \<j) 2 ) to B. In (d,iv), B 
performs a measurement which verifies whether the composite systems of 
qubits sent from A and the qubits stored by B generated first in are 
really in \<p 2 )- If B gets a positive result, B recognizes A. If not, B stops the 
process. When E personates A, the transformation from to \<p 2 ) cannot 
be achieved by E due to a lack of \x)- The advantage of this protocol is that 
there is no need for A to send secret qubits in the catalyst state \x) to B. 
This reduces the risk that the secret key could be stolen in the transfer from 
A to B. However, as for Barnum 1, if A's smart card, which contains the 
catalyst-state qubits, is stolen by E, E can impersonate A easily. 

Guo et ai: In addition to the protocol of Barnum [10], a method of 
quantum authentication by a different use of Bell states was proposed by 
Guo et al. [5]. In (d,i), A and B determine a classical password as a sequence 
of numbers composed of 1,2,3,4. Each number is assigned to one of four 
orthogonal Bell states of two qubits. This generates a sequence of Bell states 
along the order of the classical password. In (d,ii), A stores half of the Bell 
pairs in a quantum smart card. B keeps the other half in a quantum storage 
device and also stores the classical password in an electronic database. In 
(d,iii), A sends the qubits stored in the smart card to B. In (d,iv), B performs 
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a Bell measurement of the qubits sent from A and the qubits stored by B so 
as to read out the classical password. B checks whether the obtained results 
agree with the password stored in the database. If the results are correct, B 
recognizes A. If not, B stops the process. In (d,v), B resends half the Bell 
pairs to A. In this protocol, similar to Barnum 1, the smart card does not 
contain any information about the classical password because the contracted 
quantum states of the qubits in the smart card are the maximal entropy 
state. However, this protocol is insecure against card theft. Moreover, there 
is a risk that copies of the classical password from £?'s database could be 
leaked. 

In the next section, we propose a secure protocol, which is robust against 
card theft. The protocol also prevents information leak from the verifier B. 



3 Basic Protocol 



In this section, we explain a basic protocol in order to outline the essence 
of the idea behind our full, more secure protocol, which we will be detail in 
section 5. The structure of the basic protocol is composed as follows. In 
(c) of the previous section, the secret keys are a sequence of qubit pairs in 
a Bell state. In (d,i), A and B meet and generate a sequence of qubit pairs 
in a Bell state |+). In (d,ii), B puts half of the Bell pairs into a quantum 
storage device, while A stores the other half in a quantum smart card. A also 
generates a classical password composed of bit values and 1 with the same 
length of the above sequence of Bell pairs. The password is not revealed to 
anybody, including B. A performs a unitary transformation on each qubit 
in the smart card, dependent on the bit value of A's password. When the 
bit value is 0, the unitary transformation is the identity transformation /. 
When the bit value is 1, the unitary transformation is R, which is not the 
identity transformation. The action of R changes |+) into another Bell state 
The state |£) is not orthogonal to |+). In (d,iii), A encodes the classical 
password by using two non-orthogonal quantum states |0) and \a) of a qubit. 
The part of the password with bit values is replaced by the state |0). The 
other part with bit values 1 is replaced by \a). We call the sequence of these 
qubits the quantum password. A sends to B both her quantum password 
and the qubits stored in her smart card. In (d,iv), B combines the qubits 
sent by A and the qubits that B keeps. The system becomes a sequence of 
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composite three qubits which contains a qubit of A's quantum password and 
two qubits of Bell pairs as secret keys. B performs a unitary transformation 
U on each three-qubit system. As seen below, if the input of U is legitimate, 
all the states of the Bell-pair part become |+) independent of the bit values 
of A's password. If not, other Bell components orthogonal to |+) appear in 
the output of U with nonzero probability and give an error. B performs a 
measurement to check whether the state is really |+). If the result is positive, 
B recognizes A. If not, B stops the process. In (d,v), B performs the inverse 
transformation U^ 1 to each set of three qubits in the sequence and resends 
only half of the Bell-pair part to A. The other half is entered again into B's 
storage device. The qubits of A's quantum password are discarded by B so 
that the information cannot be leaked. 

In the following, we explain the protocol in more detail. First of all, we 
specify the security levels of the environment. The region of A is assumed 
to be secure against any attack by an adversary E. Meanwhile, E is allowed 
to take classical information from the region of B, though E cannot get any 
quantum media in or out the 5's region. This assumption about .B's region 
implies for example that E can steal the data of the measurement results of 
B, but is not able to bring entangled qubits into £>'s region for teleportation 
or to remove any quantum state of B. We also assume that a public channel 
of classical communication is available between A and B in which radiowaves 
with signals of A spread widely in open space towards B and no adversary 
stops the communication. The channel is used for announcements to B of 
the start of A's protocol. 

We now give a detailed explanation using a password example. The pro- 
tocol is composed of nine steps, as follows. 

(1) A and B meet and generate N qubit pairs in a Bell state |+). For 
example, let us consider a case with N — 4. The state of the system is then 
given by |+)|+)|+)|+)- A stores half of the qubits Qa of the Bell pairs in 
a quantum smart card. B keeps the other half Qb of the Bell pairs in a 
quantum storage device. The process is depicted in Fig. 1. Box A represents 
A's smart card and box B represents the quantum storage device. The circles 
connected by wavy lines represent entangled qubits. (2) A generates an N- 
bit classical password K composed of Os and Is, keeping it secret from B 
and others. For instance, let us consider K = (0101). A performs a unitary 
transformation R on the qubits of Qa corresponding to the bit values 1 of K. 
The action of R changes |+) into another Bell state In the example, the 
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state of Qa and Q B is transformed into |+) |£) 1+) !£)• The process of (2) is 
depicted in Fig. 2. (3) In authentication, A generates a quantum password 
Qk- The bit values of K is encoded into a qubit state |0) and 1 of If is 
encoded into a state \a) non-orthogonal to |0). In the example, the quantum 
password is generated as Q K = |0)|a)|0)|a). (4) A sends Qa and Q K to 
B through a quantum channel. (5) B unlocks Qa and Q B using a quantum 
device UL with the quantum password Qk- The device UL operates so as 
to perform a unitary transformation U on the composite system of Qk, Qa 
and Qb- U does not change the input state |0)|+) with bit values of 
K and transforms the input state \o)\i) with bit values 1 of K into |c)|+), 
where |c) is a quantum state of a qubit of Qk- Fig. 3 depicts the input state 
for the N = 4 example and Fig. 4 shows the output state. (6) B checks 
whether the output state of Qa and is |+) 0Ar . This is done by a Bell 
measurement of |+). If a positive result is obtained, B recognizes A. If not, 
B stops the process. (7) B locks Qa and Qb by a quantum device L with 
Qk- The action of L is the inverse transformation of U. In the example, 
the output state of L for Qa and Qb is given by |+) |£) |+) The output 
state of L for Q K is given by |0)|a)|0)|a). (8) B breaks off Qk and erases 
the information so it cannot be stolen by others. (9) B returns Qa to A and 
A restores Qa to the smart card. 

We note that Qa and Qb cannot be decoded correctly by B without 
the information of K or Qk- Therefore, even if the smart card is stolen by 
E, E cannot impersonate A without K. Thus, property (I) in section 1 is 
achieved. Moreover, the contracted states of the qubits of Qa become the 
maximal entropy state: 

I 

Pmax 2^ 

Thus property (II) in section 1 is verified. Similarly, the contracted states of 
Qb also become the maximal entropy state. Therefore, the storage device of 
B does not contain any information of K. It is also stressed that the only 
information that B holds is Qb- Hence E cannot steal useful information 
about K from £?'s storage device. This guarantees property (III). In step 
(4), the information of K is encoded by two non-orthogonal states. Thus, 
E cannot perfectly obtain Qk by eavesdropping. By using an extension 
which will be proposed in section 5, rapid detection of eavesdropping also 
becomes possible and achieves property (IV). It is notable that there exists no 
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entanglement between A's quantum password Qk and the composite system 
of Qa and Qb- Therefore, Qk is disposable in each round of the protocol. 
Therefore property (V) is attained. B cannot get perfect information of 
K in steps (5) and (6) because the quantum qubits accessible by B are all 
non-orthogonal to each other. 

In the following, we give explicit forms of the unitary transformation R 
and U. Let us define four Bell states orthogonal to each other as follows: 

|±> = -^[|0>|0>±|1>|1>], 

|5 ± ) = -L[|0)|1>±|1>|0>], 

where |0) and |1) are two orthonormal states of a qubit. The first qubit is 
stored by A and the second by B. The state \a), which is used when A's 
quantum password is generated, is given by 

| a) = a|0)+/3|l), 

where a and (3 are real constants such that < a < 1 and (3 = y/1 — a 2 . 
The unitary transformation R is defined as follows: 

R\0) = e* 5 \0), 
R\l) = e~ iS \l), 

where 5 is a real parameter. For later convenience, we introduce two real 
parameters £ and rj such that e tS = £ + irj, < £ < 1 and rj = a/1 — £ 2 . 
Acting on A's qubit in |+) with R yields a new Bell state 



i2®/|+) = |0, (1) 



where |£) is given by 



IO=£l+>+i»7|->- 

It is easy to check explicitly that |£) is a Bell state because the following 
relations hold: 

PB = r to[\Z)(t\] = ± 
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Because |+) is also a Bell state, the following relations are also satisfied: 



PA = Tr[|+)(+|] = ^ 

PB = Tr[|+)(+] = ^. 

Consequently no information of K can be extracted from only Qa or Qb- 

Here it should be noted that a similar idea of imprinting information 
into Bell states by a local operation has been proposed in [T1J. However, 
the authors treat only orthogonal Bell states. In contrast, non-orthogonal 
Bell states play a crucial role in our protocol. Because |+) and |£) are not 
orthogonal to each other, B cannot decode K perfectly by a measurement of 
Q A and Q B - 

The unitary transformation U is defined such that the following relations 
are satisfied: 



£/|0>i+> = |0>|+>, (2) 

r/|i>i+> = §eii>i+>+«u|o>i->+« 2 i|i>i->, 



«/|0>|-> = -i^|l>|+>+tti 2 |0>|->+« 2a |l>|->, 

U\l)\-) = -i^\l}\+)+u l3 \0)\-}+u 23 \l}\-}, 
U\b)\B ± ) = \b)\B ± ), 

where d is a real parameter given by d — y/l — a 2 !; 2 and Uij are complex 
numbers satisfying uniary relations given by 



\Ull\ + « 2 1 = 1 



(P 



I |2 | | ,2 i "V 
\Ul2\ + \U22\ =1 ^2~, 

I "13 | + F23| =1 
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UuU 13 + U 2 lU 2S 
U\\U* X2 + M21«22 

[/ has the following properties. For bit values of K, the input state |0)|+) 
does not change at all under U operation as seen in Eq. (j2J). For bit values 
1 of K, the input state is transformed into 

U\a)\0 = \c}\+), (3) 
where |c) is a state defined by 

|c) = a£|0) + d|l). (4) 

Eq. ([3]) can be directly verified from Eq.(jlj) and the inverse relation U~ 1 \c)\+) = 
|ck)|£), which is derived from unitary relations such that 



—1 



af3rf 



u- L \o)\+) = |0)|+>, 

= f |i)i+) + ^io)i-) + ^|i)|-). 

From Eq. (j2J) and Eq. Q, it is verified that entanglement between Qk and 
Qa + Qb is not generated before and after the operation of U and Z7 -1 . 
Therefore, purity of the state for Qa + Qb is preserved even if Q K is discarded 
by B after the authentication. This fact allows us to repeat the use of Qa 
stored in the smart card. 



4 Security Analysis 

In this section, we present security analysis of the above protocol. First, 
we assume that E does not have A's smart card and her password K. The 
success probability p s of E per qubit to pass the authentication test by B 
is evaluated as follows. Without access to K, E has to prepare a universal 
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optimal state \V E )® N of Q k + Qa forged quantum password and a forged 
smart card. Without loss of generality, \^e) is written as 



\*e) = * 



00 



*oi|0>|1) + *io|1)|0) + *ii|1>|1>, 



where are complex coefficients satisfying the normalization condition of 
the state. The first qubit corresponds to Qk and the second to Qa- Because 
the forged input of E is not at all entangled with Q B , the input state of Q B 
of U is given by /s/2, independent of the bit values of K. Hence p s is written 

as 



Ps 



(+|Tr 



K 



U[\*e)IPe\ 



IB 



1+) 



= ^I(0|(+|C/|^)|0)| 2 + ^|(0|(+|C/|* B )|1)| 2 

+^l(i|(+l^l^)|o)l 2 + ^l(i|(+|f/|^)|i)l 2 , 

where the trace is taken in terms of the state space of Q K . Through straight- 
forward manipulations, p s is evaluated as 



1 i.t. |2, l, lT/ ,2 
Ps = ^ |*00 1 + ^ |*01 1 



1 

+ 4 

1 

+ 4 



a a 



d 



d 



by use of the following unitary relations. 



(o\(+\u 



(o|(+|, 
f<i|<- 



<><■ 
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We can show that p s is bounded above by applying Schwartz inequalities as 
follows: 

1 ,2 1 , ,2 

Ps < -l^ool +^10| 

+ I(|^ 10 | 2 + |^oo| 2 ) 

+ i(|^ n | 2 + |^oi| 2 ) 

= ^(l^oo| 2 + |^io| 2 ) + i 
1 

< -. 
~ 2 

Consequently, we get a lower bound of detection probability of £"s imper- 
sonation as 



P { P > 1 



2 



Therefore, B is able to detect E with a high probability for a large N . 

Next, we consider a case where E succeeds in stealing A's card. However, 
we assume that E does not know K. In this case, E must make a forged 
quantum password. The optimal state for each qubit is denoted by p E = 
\Ke)(Ke\- Assuming K is randomly generated, the appearance probability 
of each bit value of K is 1/2. For bit values of K, the state of Qa + Qb is 
|+). Thus, the detection probability of E per qubit is given by 

p E0 = Tr [U (p E ® l+X+l) C/t (/ _ | + )( + |)] . 

For bit values 1, the state is Hence, the detection probability is written 

as 

PEi = Tr[U(p E ®\Q{Z\)rt (/-l+X+l)]. 
The average detection probability per qubit is given by 

1 1 
As = ^Peo + -Pei- 

We parametrize p E as 
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Pe = r\0){0\ + (1 - r)|l)(l| + (x + iy) |0)(1| + (x - iy) |1)(0|, 

where 

< r < 1, x 2 + y 2 = r(l — r). 
The detection probability is then evaluated as 

1 1 -E 2 

A e = 172 [1 + « 2 - 2 «V - 2a/3a;] . 

z 1 — cr£ 

The minimum value of A E in terms of r and x is easily obtained as 

p n = mm Ae = —2 (1 - a) . 

2 1 - " £ 

For instance, taking typical values of ct and ^asa; = ^ = l/2, the value of 
p n is evaluated as p n = 1/5. It is noted that the total detection probability 
of E is given by 

P W = l-(l-Pn) N . 

Consequently E can be detected with a high rate for a large N. 

A comment should be made about man-in-the-middle attacks. If E is 
able to secretly occupy classical and quantum channels between A and B and 
perform any attack allowed by physics laws, E is able to steal all the quantum 
states of A in the transfer through the channels. In order to impersonate A 
after this round of the protocol, E must keep the stolen qubits. However, 
we have assumed that E cannot prevent B from knowing the start of A's 
authentication protocol through a public channel. In order to avoid B quickly 
noticing the impersonation, E has to send some forged qubits as Qa and Qk 
to B. Then the identification test by B yields a wrong output and the man- 
in-the-middle attack is easily noticed. 

Though our protocol has many advantages, as detailed above, some sub- 
tle loopholes exist. One of them may occur in step (4). Because of the 
non-orthogonality of |0) and \a), perfect cloning of Qk in the channel is 
prohibited. However, it is possible for E to attempt an approximate cloning 
of Qk- Even though the cloning leaves a disturbance in the states of Qk 
received by B, the detection rate of eavesdropping is not large. If B fails to 
detect E, E may next try to steal A's smart card. Let us assume that E 
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succeeds in obtaining the card. This card-steal attack with an approximate 
clone of Qk strongly decreases B's probability of detecting impersonation. 
Another loophole may occur in step (8). B discards A's quantum password 
Qk after the authentication. If E infiltrates B's region and secretly mea- 
sures Qk and accumulates the results, E can estimate K with high precision 
after several rounds by A and B. This may lead to possible abuse of the 
information by E. In the next section, we give an improved protocol robust 
against these attacks, without loss of the advantages of the basic protocol. 

5 Extended protocol 

In this section, we present an extended protocol, which increases the detection 
probability of eavesdropping in quantum channels and decreases the amount 
of knowledge of K leaked in the discarding step of Qk- Before A sends Qk 
to B, A generates a long sequence of two non-orthogonal states of qubits like 
the BB84 quantum key distribution [Hj and uses them as decoys to detect 
eavesdropping. In order to suppress the leakage of information about K, 
a one-time-pad method is adopted when A generates a quantum password. 
The extended protocol is composed of 14 steps as follows. 

(1) A and B meet and generate iV qubit pairs in a Bell state |+). A 
stores half of the Bell pairs Qa in a quantum smart card. B keeps the other 
half Qb in a quantum storage device. (2) A generates an iV-bit classical 
password K composed of Os and Is and keeps it secret from B and others. 
A performs R for Qa qubits corresponding to bit values 1 of K. (3) In 
authentication, the lock process is reversed using K. A performs for Qa 
qubits corresponding to bit values 1 of K. (4) A generates iV-bit pseudo- 
random numbers K. K is used as a one-time-pad password in the transfer of 
A's qubits. A performs R for Qa corresponding to bit values 1 of K. (5) A 
generates a quantum password Q K . The bit values of K are encoded into 
a qubit state |0) and bit values 1 of K into (6) A generates a sequence 
of No pseudo-random numbers Kq composed of 2,3,4,5. Kjj is quantum 
mechanically encoded using four quantum states |0), |1) and 
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|1x> = ^(|0>-|1». 

The number 2 in Kd is replaced by |0), 3 by |1), 4 by |0 X ) and 5 by |l x ). 
We call the sequence of qubits Qd- (7) A makes randomly slip into Qd 
and sends Qa and + Qd to B. (8) After they are received by B, A 
announces to B the positions of the qubits of and the value of K D . B 
then separates Qd from Q^. B measures Qd in the basis of {|0), |1)} if the 
value of Kd is 2 or 3 and in the basis of {|0 X ), |l x )} if the value of Kd is 4 
or 5. If the results are consistent with Kd, B makes a judgement that there 
is no eavesdropping. If it is judged that eavesdropping may have occurred, B 
stops the process. (9) B unlocks Qa and Qb by the unitary transformation 
U with the password Q^. U does not change the input state |0)|+) with bit 
value of K and transforms the input state \a) |£) with bit value 1 of K into 
|c)|+). (10) B checks whether the output state of Q A + Qb is |+) 0Ar . If the 
result is positive, B recognizes A. If not, B stops the process. (11) B locks 
Qa and Q B by U' 1 with Q^. (12) B discards Q^. (13) B returns Qa to A 
and A restores Qa to the smart card. (14) A performs R^ 1 to the qubits of 
Qa corresponding to bit values 1 of if to make the state of Qa + Qb to be 
1+)®^. Then, A locks Qa + Qb by the original password K. A performs R 
on the qubits of Qa corresponding to bit values 1 of K. 

The one-time-pad password method in step (4) prevents E from stealing 
the information of the original password K when the quantum password is 
discarded by B. Step (8) of the protocol also prevents approximate cloning 
attacks by E eavesdropping by taking a large Np. A detailed security analysis 
will be reported elsewhere. 

It is expected that the protocol will protect the basic infrastructure of 
the information-based society if a quantum smart card is devised which can 
store quantum information for a long period. 
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Figure Captions 



Fig. 1: In the basic protocol, A and B meet and share Bell pairs. The 
case with K = (0101) is depicted. The state of the system is given by 
| +) | +)|+)|+)- A stores half of the Bell pairs Qa in a quantum smart card. 
B keeps the other half Qb in a quantum storage device. Box A indicates 
the smart card and box B indicates the quantum storage device. The circles 
connected by wavy lines represent entangled qubits. 

Fig. 2: A generates a classical password K composed of 0s and Is and 
keeps it secret, even from B. The case with K = (0101) is depicted. A 
performs a unitary transformation R on the qubits of Qa corresponding to 
bit values 1 of K. The action of R changes |+) into another Bell state 
In this example, the state of Qa and Qb is given by | I +)!£)• 

Fig. 3: B unlocks Qa and Qb using a quantum device UL with the pass- 
word Qk- The device UL operates so as to perform a unitary transformation 
U on the composite system of Qk, Qa and Qb- The input state is depicted 
for the example. 

Fig. 4: The output state of UL is depicted. 
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